WhatsApp attackers can secretly add new members to group chats, research finds

12 January, 2018, 03:29 | Author: Brenda Erickson

Researchers said the flaw in WhatsApp can allow anyone who controls the platform's servers to add new people into a private group without needing permission from the group chat's administrator to enter the conversation.

Here's how WhatsApp group messaging works: membership is maintained by the server.

According to a report in Wired.com, the cryptographers from Ruhr University Bochum in Germany announced this at the "Real World Crypto Security Conference" in Zurich, Switzerland, on Wednesday.

And Facebook's Chief Security Officer Alex Stamos took to Twitter to rubbish the claims. However, there appears to be a simple bug in WhatsApp's group mechanism. "If I hear there's end-to-end encryption for both groups and two-party communications, that means adding of new members should be protected against. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted", the spokesperson added. But it has become hard for WhatsApp to keep up the security standards, most importantly when it comes to group chats. It cited the researchers as saying that anyone who controls WhatsApp'sservers could effortlessly insert new people into an otherwise private group. That immediately limits the potential of the exploit to employees, sophisticated hackers or governments who can convince the firm to give them access - but the risk is still there, and rather negates the value of WhatsApp's encryption.

As per the research, Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group and it is possible for an unauthorized person, who is not even a member of the group, to add someone to the group chat. The server then checks that the user is authorized to administer that group, and (if so), it sends a message to every member of the group indicating that they should add that user. If they add themselves to the group: 1. Although participants will be notified about the new addition, with full control of the thread the attacker can choose to block messages about it.

"The confidentiality of the group is broken as soon as the uninvited member can obtain all the new messages and read them..." The flaw takes advantage of an issue in how WhatsApp handles group chats. One example attack posited that former members of groups could record the group ID and use that for future attacks.

The objective of having an end-to-end encryption is to stop trusting the intermediate servers in such a way that even the company or the server that transmits the data can decrypt the messages or abuse the centralized position.

WhatsApp said that the "group invitation bug" is a theoretical danger that's additionally minimized by the fact that users will receive a notification about a new user joining the group. The attackers might send spoofed messages in order to prevent the administrator from removing spy from the private conversation.

Recommended:

In addition to these new online modes, Super Mario Odyssey will add a few new updates to expand the usage of the game's features. After beating the main story, this update will allow players to talk to Luigi and gives access to a new competitve mode.

Air India, which is staying afloat on taxpayers' money, is estimated to have a debt burden of more than Rs 50,000 crore. Till date, 49 per cent FDI was allowed under automatic route, while beyond that government approval was required.

There's also a BIOS update that puts the battery into "Battery Safe Mode" to prevent it from operating in a unsafe way. HP has just announced a worldwide voluntary safety recall for selected notebook and mobile workstation batteries.

Tessa Thompson has walked back her criticism of Lena Dunham's participation in the Time's Up campaign at Sunday's Golden Globes . Girls star Lena Dunham and musician Jack Antonoff have confirmed, through reps, that they've split after five years together.

Mario steps onto the court in classy tennis garb for intense rallies against a variety of characters in full-blown tennis battles. Instead, the Direct appeared on January 11 with very little notice and brought with it a host of Nintendo Switch announcements.

It so happened that as soon as the press conference began, Shilpa was cornered by her co-contestants, except Puneesh of course. Former Bigg Boss contestant Manu Punjabi also hasn't shied away from declaring Shilpa as the victor of the show.

Today's high temperature likely will be a harbinger of warmer conditions in Forsyth County later this week, forecasters say. WEDNESDAY: Mostly cloudy skies and a few rain showers will be possible, with a milder high temperature of 57 degrees.

Project Linda also has a 53.6 Wh internal battery that can fully charge the docked Razer phone three times without AC power. That said, Razer's intent is to provide "enhanced productivity and differentiated gaming experiences" with Project Linda .

CES 2018: TCL Unveils Expanded Home Entertainment Lineup
This range will have Televisions from 43-inch onwards and will support HDR, 4K Ultra HD resolution, Roku OS and Dolby Vision. The firm announced that it is collaborating with TCL to build the "TCL Roku Smart Soundbar", coming in late 2018.

Matt Patricia may not be slam dunk as next head coach
The fact that the defense did this without Dont'a Hightower and an inexperienced front seven also speaks to the job Patricia did. In 2005, he became assistant offensive line coach before he moved to coaching linebackers from 2006 to 2010.

The New Red Sparrow Trailer Featuring Jennifer Lawrence
Once a prima ballerina, she suffered an injury that dismantled her career. " A master of seductive and manipulative combat ". Joel Edgerton is co-starring in the film as Nathaniel Nash, an American spy targeted by Dominka and her handlers.